Firewall rules

What is a firewall rule?

A firewall rule is an instruction that tells a firewall whether to allow, block, or monitor network traffic based on defined conditions. These rules control how data moves between networks, devices, or applications and help protect systems from unauthorized access.

How do firewall rules work?

When a data packet attempts to enter or leave a network, the firewall checks the packet against its rules based on attributes of network traffic, such as the source IP address, destination IP address, protocol, and port number.

If the traffic matches the conditions of a rule, the firewall applies the action associated with that rule, such as allowing or blocking the connection. Rules are evaluated in a specified order, and the firewall checks them until it finds the rule that matches the packet. Once a matching rule is found, its action is applied, and the firewall usually stops evaluating further rules for that packet. The flow of how firewall rules evaluate network traffic.

Common firewall rule categories

Firewall rules can vary depending on the direction of network traffic, the action applied to matching traffic, or the criteria used to filter connections.

Inbound rules: Control traffic coming into a network or device from external sources.
Outbound rules: Control traffic leaving a network toward external systems.
Allow rules: Permit specific network traffic that matches defined criteria, such as traffic from a trusted IP address or to a specific port.
Deny or block rules: Prevent traffic that matches certain conditions from entering or leaving the network.
Logging rules: Instruct the firewall to record information about matching traffic for monitoring, troubleshooting, or security analysis.
Application rules: Restrict or allow traffic based on the application generating the request.
Protocol or port rules: Filter traffic based on network protocols or port numbers used by services.

Common use cases

Firewall rules are widely used to manage and secure network traffic across organizations and digital systems. Typical use cases include:

Allowing access to public services such as websites or email servers.
Blocking known malicious or suspicious traffic.
Restricting administrative access to specific internal networks.
Controlling which applications can communicate with external services.
Preventing unauthorized connections to sensitive systems or databases.

Key considerations for firewall rules

While firewall rules help control network traffic and improve security, problems can arise with:

Misconfiguration: Incorrect rule order, overly permissive rules, or overly restrictive settings may allow unauthorized access or block legitimate traffic and services.
Rule complexity: Large or poorly documented rule sets can become difficult to manage, increasing the likelihood of errors, conflicts, or outdated rules remaining active.
Logging and monitoring: Firewall logs may contain IP addresses, timestamps, and connection metadata that reveal patterns of user or device activity if not properly secured.

FAQ

What’s the difference between stateful and stateless firewalls?

A stateful firewall evaluates packets in the context of an existing session, while a stateless firewall evaluates each packet independently.

What is a “default deny” policy, and why use it?

A default deny policy blocks all incoming traffic that has not been explicitly permitted by the firewall policy.

How do I prioritize rule order?

Firewall rules are typically ordered from the most specific to the most general, placing restrictive rules and exceptions first so they are evaluated before broader allow rules that might otherwise permit unintended traffic.

Do firewall rules stop malware and phishing?

Not entirely. Firewall rules can help block some malicious traffic by restricting connections to known harmful IP addresses, ports, or services. Stopping malware or phishing attacks often requires additional protections such as email filtering, endpoint security, and threat detection tools.

How do firewall rules relate to VPN connections?

Firewall rules usually control whether virtual private network (VPN) traffic can enter or leave a network and may restrict access to internal systems through a VPN tunnel.